New variant of rot-13 trick.

[Matt Kettler <mk...@evi-inc.com>]

A long time ago, I noticed spammers were including rot-13 encodings of
email addresses in message bodies.

Things like this:
zxrggyre^riv-vap(pbz

Which decodes to:
mkettler^evi-inc(com

Why exactly ^ replaces @ and ( replaces . was never really clear, but
this provided a really nice spam sign, and became the basis of SA's
EMAIL_ROT13 rule, which looks for the characteristic pattern involving (
and ^.

apparently someone's already modified their tactics for this.

I found a spam with this IMG tag in it (note: email addresses other than
mine replaced with xxxxxxxxx to protect my users)

IMG
SRC="http://www.pics-4-showMUNGED.com/1.gif?zxrggyre()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^S^S"

It's the same basic trick, but now it's being used as a parameter to a
web bug. They've modified it slightly so the @ is replaced by () and the
 is replaced by ^H, but it's much the same.

Just wanted to let people know the signature has mutated slightly, and
it's being used in HTML tags as well as body text.